Remove references to security scanning for private repos (#6444)

_data/toc.yaml

@@ -3087,8 +3087,6 @@ manuals:
       title: Link to a source code repository
     - path: /docker-cloud/builds/push-images/
       title: Push images to Docker Cloud
-    - path: /docker-cloud/builds/image-scan/
-      title: Docker security scanning
     - path: /docker-cloud/builds/automated-build/
       title: Automated builds
     - path: /docker-cloud/builds/automated-testing/

datacenter/dtr/2.4/guides/admin/configure/set-up-vulnerability-scans.md

@@ -2,6 +2,8 @@
 title: Set up Security Scanning in DTR
 description: Enable and configure Docker Security Scanning for Docker Trusted Registry.
 keywords: registry, scanning, security scan, vulnerability, CVE
+redirect_from:
+- /docker-cloud/builds/image-scan/
 ---
 
 This page explains how to set up and enable Docker Security Scanning on an existing installation of Docker Trusted Registry.

docker-cloud/builds/image-scan.md

@@ -1,171 +0,0 @@
----
-description: 'Docker Security Scanning: automatic image scanning'
-keywords: Docker, docker, scan, scanning, security, registry, plans, Docker Cloud, docs, documentation, trusted, builds, trusted builds, automated builds
-title: Docker Security Scanning
----
-
-> **The Docker Security Scanning preview service will end on March 31st, 2018, for private repos (not official repos) in both Docker Cloud and Docker Hub. Until then, scanning in private repos is limited to one scan per day on the “latest” tag.**
-
-Docker Cloud and Docker Hub can scan images in private repositories to verify
-that they are free from known security vulnerabilities or exposures, and report
-the results of the scan for each image tag.
-
-On Docker Hub, Docker Security Scanning looks a little different than the images
-in this document.
-
-![Scanned results](images/scan-view.png)
-
-Docker Security Scanning is available as an add-on to Docker hosted private
-repositories on both Docker Cloud and Docker Hub. The feature is available as a
-free preview for private repository subscribers for a limited time.
-
-During the free period, Docker Security Scanning scans the three most recently
-updated tags in each of your private repositories. You can push an update to an
-older tag to trigger a scan. The scan runs on each new image push, and updates
-the scan results when new information comes in from the CVE databases.
-
-You can also view scan results for Official Images on Docker Hub if you are logged in.
-
-## View Docker Security Scanning results
-
-Once you opt-in to the Docker Security Scanning and the scan process completes, you can view the scan results for your private repos.
-
-To view scan results:
-
-1. Log in to Docker Cloud or Docker Hub.
-
-2. Navigate to the repository details page.
-
-3. Click **Tags**.
-
-    The Tag view displays a summarized view of each tag scan, and the
-    age of the scan.
-
-    ![Scanned tags](images/scan-tags.png)
-
-    A solid green bar indicates a clean scan without known vulnerabilities.
-    Colored stripes in yellow, orange, and red indicate minor, major, and
-    critical vulnerabilities respectively.
-
-    >**Tip:** Vulnerability scores are defined by the entity that issues the vulnerability, such as [NVD](https://nvd.nist.gov/), and are based on a [Qualitative Severity Rating Scale](https://www.first.org/cvss/specification-document#5-Qualitative-Severity-Rating-Scale) defined as part of the [Common Vulnerability Scoring System (CVSS) specification](https://www.first.org/cvss/specification-document).
-
-4. Click a scan summary to see more detailed results for the specific tag.
-
-    The scan results show the image's layers, and each layer can have one or more scannable components. Layers with components display them in a grid, with one square representing each component. These squares are color coded to indicate the seriousness of vulnerability.
-
-    Only components that add software are scanned. If a layer has no scannable components, it shows a `No components in this layer` message.
-
-    ![Scanned results](images/scan-view.png)
-
-    > **Note**: *Base Layers* contain components that are included in the parent
-    > image, but that you did not build and that you may not have access to edit.
-    > If a Base Layer contains a vulnerability, you should switch to a version
-    > of the parent image that does not have any vulnerabilities, or to a similar
-    > but more secure image.
-
-5. Click a square in the grid to see the vulnerability report for that specific component.
-
-    ![Scanned component preview](images/scan-single.png)
-
-6. Click the arrow icon to expand the list and show all of the vulnerable components and their CVE report codes.
-
-    ![Scanned components](images/scan-full-details.png)
-
-7. From here, you can click one of the CVE codes to view the original report about the vulnerability.
-
-> **Note**: You can also see scan results for Docker's Official Images as long as you are logged in to Docker Hub, regardless of if you are a subscriber or not.
-
-### What do I do next?
-
-If you are viewing scan results for an Official Image and you find a
-vulnerability, you might want to check if there is an updated version available,
-or contact the image's maintainers to ensure that the vulnerability is being
-addressed.
-
-When you enable scanning on your images, you can use the information in the
-linked CVE reports to decide what to do. You might correct a vulnerability by
-using an updated version of the component, or a different component entirely.
-When you push an update to the code, the new image push re-triggers the scan.
-
-If the vulnerability is in a `base layer` you might not be able to correct the
-issue in the image. Consider switching to a different version of the
-base layer or an equivalent, less vulnerable base layer. You
-might also decide that the vulnerability or exposure is acceptable.
-
-## The Docker Security Scan process
-
-Security scanning is enabled on a per-repository basis and is only available for
-private repositories. Scans run each time a build pushes a new image to your
-private repository. They also run when you add a new image or tag. Most scans
-complete within an hour, however large repositories may take up to 24 hours to
-scan. The scan traverses each layer of the image, identifies the software
-components in each layer, and indexes the SHA of each component.
-
-The scan compares the SHA of each component against the Common Vulnerabilities
-and Exposures (CVE®) database. The CVE is a "dictionary" of known information
-security vulnerabilities. When the CVE database is updated, the service reviews
-the indexed components for any that match the new vulnerability. If the new
-vulnerability is detected in an image, the service sends an email alert to the
-maintainers of the image.
-
-A single component can contain multiple vulnerabilities or exposures and Docker
-Security Scanning reports on each one. You can click an individual vulnerability
-report from the scan results and navigate to the specific CVE report data to
-learn more about it.
-
-## Frequently Asked Questions
-
-Docker Security Scanning is available as a free preview for private repositories
-for a limited time. Security scanning is only available for Docker Official
-Images on Docker Hub, and for paid private repositories in Docker Cloud during
-this free period.
-
-<b>We invite you to try it out! Send us your feedback through our <a href="https://forums.docker.com/c/docker-cloud/docker-security-scanning" target="_blank" class="_" >Docker Product Forums</a>.</b>
-
-
-#### Will Docker Security Scanning always be available for free?
-
-No. We are making Security Scanning available as a free preview for a limited
-time. After that, Security Scanning will be available as a purchase for your
-private repository subscriptions.
-
-#### Can I scan my organization's repositories (public and/or private)?
-
-Yes. You can view scans for your Organization's private repositories on both
-Docker Hub and Docker Cloud.
-
-#### Can I scan my public repositories?
-
-Not yet. We’re working to make Docker Security Scanning available to teams and
-organizations, as well as public repositories. Stay tuned!
-
-#### Are my repositories automatically scanned on push?
-
-Yes. The images in your repositories are automatically scanned each time a new
-image is pushed. When you first sign up for Security Scanning, we scan three most recently pushed tags. We then scan any new image that you push.
-
-#### Are my repositories automatically scanned when new vulnerabilities are discovered?
-
-Docker Security Scanning indexes the components in your image, so we don't need
-to re-scan your images when new vulnerabilities are reported. Instead, we match
-the components in new CVE reports to what we know is already in your image, and
-quickly generate an updated report.
-
-#### What do I do if I think the scan results are incorrect?
-
-If a scan shows a vulnerability that you think is incorrect, if you think a
-vulnerability's category is incorrect, or if you believe there is a
-vulnerability that has not been detected by the scanning process, contact Docker Support and include the information listed
-[here](https://success.docker.com/Cloud/How_to_report_a_false_positive_in_Docker_Security_Scanning).
-
-#### I just pushed to my repository, but the scan results aren't showing up or haven't been updated, why?
-
-Docker Security Scanning generates and indexes a hash of the byte code of each
-component in the image. This usually completes quickly, however scanning can
-take up for 24 hours, especially if the image is large or contains many smaller
-components.
-
-## Related information
-
-* [Learn about CVE and how it compiles data](https://cve.mitre.org/about/index.html).
-* [How to create a Docker Official image](/docker-hub/official_repos/)

docker-cloud/builds/index.md

@@ -19,8 +19,7 @@ running services when a build passes its tests.
 * [Push images to Docker Cloud](push-images.md)
 * [Link to a source code repository](link-source.md)
 * [Automated builds](automated-build.md)
-* [Docker Security Scanning](image-scan.md)
 * [Automated repository tests](automated-testing.md)
 * [Advanced options for Autobuild and Autotest](advanced.md)
 
-![Docker Cloud repository General view](images/repo-general.png)
+![Docker Cloud repository General view](images/repo-general.png){:width="650px"}

docker-cloud/release-notes.md

@@ -24,7 +24,7 @@ In our May 2016 release, we introduced a new user interface for Docker Cloud. Tr
 
 ### Added
 
-**Docker Cloud Security Scanning** is now available as a beta add-on service for private repositories. See [Security scanning in Docker Cloud](builds/image-scan.md) for more information.
+**Docker Cloud Security Scanning** is now available as a beta add-on service for private repositories. 
 
 ### Fixed
 

docker-store/publish.md

@@ -27,22 +27,20 @@ title: Publish content on Docker Store
 
 ## Onboarding
 
-The publishing process for the Docker Store is straightforward, and can be
-initiated from the landing page. You can sign in with your Docker ID, and
-specify a product name and image source from a private repository. We require
-that your product images are stored in private repositories via Docker Cloud
-and/or Hub, as they serve as an internal staging area from which you can revise
-and submit content for review.
+The Docker Store publishing process begins from the landing page: sign in with
+your Docker ID and specify a product name and image source from a private
+repository. Your product images must be stored in private repositories of Docker
+Cloud and/or Hub as they serve as an internal staging area from which you can
+revise and submit content for review.
 
-Once you specify a private-repository source for your product, you can provide
-the content-manifest items to populate your product’s details page. These items
-include logos, descriptions, and licensing and support links so that customers
-can make informed decisions about your image. These items are submitted
-alongside the image itself for moderation.
+After specifying a source, provide the content-manifest items to populate your
+product details page. These items include logos, descriptions, and licensing and
+support links so that customers can make informed decisions about your image.
+These items are submitted alongside the image itself for moderation.
 
 The Docker Store team then conducts a comprehensive review of your image and
-metadata. We use Docker Security Scanning to evaluate your product images’
-security, and share results with you as the publisher. During the
+metadata. We use Docker Security Scanning to evaluate the security of your
+product images, and share results with you as the publisher. During the
 image-moderation phase, we iterate back and forth with publishers to address
 outstanding vulnerabilities and content-manifest issues until the image is ready
 for publication.
@@ -51,16 +49,16 @@ Commercial content and other supported images may qualify for the Docker
 Certified Container or Plugins quality mark. The testing for this program goes
 beyond the vulnerability scan and also evaluates container images for Docker
 best practices developed over years of experience. Collaborative support
-capability between Docker and the publisher is also established. Refer
-to the diagram below for a high-level summary:
+capability between Docker and the publisher is also established. Refer to the
+diagram below for a high-level summary:
 
 ![publishing workflow](images/publish-diagram.png)
 
 ## Create great content
 
 Create your content, and follow our best practices to Dockerize it. Keep your
-images small, your layers few, and your components secure. Refer to the
-links and guidelines listed below to build and deliver great content:
+images small, your layers few, and your components secure. Refer to the links
+and guidelines listed below to build and deliver great content:
 
 * [Best practices for writing Dockerfiles](/engine/userguide/eng-image/dockerfile_best-practices/)
 
@@ -75,20 +73,20 @@ Here are some best practices when it comes to building vulnerability-free Docker
 
 Many base images have a strong record of being secure, including:
 
-* [Debian](https://hub.docker.com/r/library/debian/tags/jessie/){: target="_blank"
-class="_"} Linux: both small and tightly-controlled, Debian-linux is a good
-alternative if you're currently using Ubuntu.
+* [Debian](https://hub.docker.com/r/library/debian/tags/jessie/){: target="_blank" class="_"}
+  Linux: both small and tightly-controlled, Debian-linux is a good alternative
+  if you're currently using Ubuntu.
 
-* [Alpine](https://hub.docker.com/_/alpine/){: target="_blank" class="_"} Linux: Alpine is a minimal linux distribution with an
-excellent security record.
+* [Alpine](https://hub.docker.com/_/alpine/){: target="_blank" class="_"} Linux:
+  Alpine is a minimal linux distribution with an excellent security record.
 
 * Alpine-based application images: these include `python:alpine`, `ruby:alpine`,
-and `golang:alpine`. They are secure and minimal, while providing the
-convenience of their non-Alpine alternatives.
+  and `golang:alpine`. They are secure and minimal, while providing the
+  convenience of their non-Alpine alternatives.
 
-Docker strongly recommends Alpine Linux. The founder of this Linux
-distribution is leading an initiative at Docker to provide safe, compact base
-images for all container applications.
+Docker strongly recommends Alpine Linux. The founder of this Linux distribution
+is leading an initiative at Docker to provide safe, compact base images for all
+container applications.
 
 ### Remove unused components
 
@@ -97,28 +95,28 @@ containerized application. To avoid this, you can:
 
 * Follow best practices when using the `apt-get` command.
 
-* Make sure to run `apt-get-remove` to destroy any components required to build
-but not actually run your application. Usually, this involves creating
-multi-line Dockerfile directives, as seen below. The following example shows
-how to remove `curl` and `python-pip` after they are used to install the
-Python `requests` package, all in a single Dockerfile directive:
+* Run `apt-get-remove` to destroy any components required to build but not
+  actually run your application. Usually, this involves creating multi-line
+  Dockerfile directives, as seen below. The following example shows how to remove
+  `curl` and `python-pip` after they are used to install the Python `requests`
+  package, all in a single Dockerfile directive:
 
-```shell
-RUN apt-get update && \
+  ```shell
+  RUN apt-get update && \
            apt-get install -y --no-install-recommends curl python-pip && \
            pip install requests && \
            apt-get remove -y python-pip curl && \
            rm -rf /var/lib/apt/lists/
-```
+  ```
 
-> **Note**: Files introduced in one directive of your Dockerfile can only be
-> removed in the same directive (and not in subsequent directives in your Dockerfile).
+> Files introduced in one directive of your Dockerfile can only be removed in
+> the same directive (and not in subsequent directives in your Dockerfile).
 
 ### Keep required components up-to-date
 
-Your images are comprised of open-source libraries and packages that amass
-vulnerabilities over time and are consequently patched. To optimize your
-product’s integrity, you must keep your images up-to-date:
+Your images are composed of open-source libraries and packages that amass
+vulnerabilities over time and are consequently patched. To ensure the integrity
+of your product, keep your images up-to-date:
 
 * Periodically update your base image's version, especially if you’re using a
   version deemed to be vulnerable.
@@ -127,14 +125,6 @@ product’s integrity, you must keep your images up-to-date:
   `apt-get install ...` pull the latest versions of dependencies, which may
   include security fixes.
 
-### Scan your own private repositories
-
-Eliminating vulnerabilities is a trial-and-error process. To speed it up,
-consider using Docker Security Scanning on your own private Docker repositories
-in Docker Cloud and Docker Hub. This feature allows you to scan images you
-create on-demand, without relying on the scans provided by the Docker Publisher
-Program.
-
 ## Create and maintain your publisher profile in the Store
 
 Let the Docker community know who you are. Add your details, your company
@@ -172,8 +162,8 @@ discoverable:
 
 ### How the manifest information is displayed in the UI
 
-This is an approximate representation. We frequently make
-enhancements to the look and some elements might shift around.
+This is an approximate representation. We frequently make enhancements to the
+look and some elements might shift around.
 
 ![manifest information displayed on store UI](images/subscribed.png)
 
@@ -198,18 +188,78 @@ response-time expectations, where applicable.
 
 ## Security and audit policies
 
+Docker Store [scans](#docker-security-scanning) your official images for
+vulnerabilities with the Docker Security Scanning tool, and
+[audits](#usage-audit-and-reporting) consumer activity of your images to provide
+you intelligence about the use of your product.
+
 ### Docker Security Scanning
 
-We use Docker Security Scanning to automatically and continuously assess your
-products’ integrity. The tool deconstructs images, conducts a binary scan of
-the bits to identify the open-source components present in each image layer, and
-associates those components with known vulnerabilities and exposures. We then
-share the scan results with you as the publisher, so that you can modify your
-images’ content accordingly. Your scan results are private, and are never
-shared with end customers or other publishers.
+Docker Security Scanning automatically and continuously assesses the intergity
+of your products. The Docker Security Scanning tool deconstructs an image,
+conducts a binary scan of the bits to identify the open-source components
+present in each image layer, and associates those components with known
+vulnerabilities and exposures.
 
-To interpret the results, refer to the
-[documentation](/docker-cloud/builds/image-scan.md).
+Docker then shares the scan results with you as the publisher, so that you can
+modify the content of your images as necessary. Your scan results are private,
+and are never shared with end customers or other publishers.
+
+#### Interpret results
+
+To interpret the results of a scanned image:
+
+1.  Log on to [Docker Store](https://store.docker.com){: target="_blank" class="_"}.
+
+2.  Navigate to the repository details page (for example,
+    [Nginx](https://store.docker.com/images/nginx){: target="_blank" class="_"}).
+
+3.  Click **View Available Tags** under the pull command in the upper right of
+    the UI.
+
+    Displalyed is a list of each tag scan with its age. A solid green bar
+    indicates a clean scan without known vulnerabilities. Yellow, orange, and
+    red indicate minor, major, and critical vulnerabilities respectively.
+
+    ![Scanned tags](images/scan-tags.png)
+
+    > Vulnerability scores
+    >
+    > Vulnerability scores are defined by the entity that issues the
+    > vulnerability, such as [NVD](https://nvd.nist.gov/){: target="_blank" class="_"},
+    > and are based on a
+    > [Qualitative Severity Rating Scale](https://www.first.org/cvss/specification-document#5-Qualitative-Severity-Rating-Scale){: target="_blank" class="_"}
+    > defined as part of the
+    > [Common Vulnerability Scoring System (CVSS) specification](https://www.first.org/cvss/specification-document){: target="_blank" class="_"}.
+
+4.  Click a scan summary to see a list of results for each layer of the image.
+
+    Each layer may have one or more scannable components represented by colored
+    squares in a grid.
+
+    ![Scanned results](images/scan-view.png)
+
+    > Base layers
+    >
+    > Base layers contain components that are included in the parent image,
+    > but that you did not build and may not be able to edit. If a base layer
+    > has a vulnerability, switch to a version of the parent image that does not
+    > have any vulnerabilities, or to a similar but more secure image.
+
+5.  Hover over a square in the grid, then click to see the vulnerability report
+    for that specific component.
+
+    Only components that add software are scanned. If a layer has
+    no scannable components, it shows a `No components in this layer` message.
+
+    ![Scanned component preview](images/scan-single.png)
+
+6.  Click the arrow icon (twice) to expand the list and show all vulnerable
+    components and their CVE report codes.
+
+    ![Scanned components](images/scan-full-details.png)
+
+7.  Click one of the CVE codes to view the original vulnerability report.
 
 #### Classification of issues
 
@@ -302,17 +352,17 @@ the partner.
 Docker Certified Container images and plugins are meant to differentiate high
 quality content on Docker Store. Customers can consume Certified Containers with
 confidence knowing that both Docker and the publisher stands behind the
-solution. Further details can be found in the [Docker Partner Program Guide](https://www.docker.com/partnerprogramguide){: target="_blank" class="_"}.
+solution. Further details can be found in the
+[Docker Partner Program Guide](https://www.docker.com/partnerprogramguide){: target="_blank" class="_"}.
 
 #### What are the benefits of Docker Certified?
 
-Docker Store promotes Docker Certified Containers and Plugins running on
-Docker Certified Infrastructure trusted and high quality content. With over 8B
-image pulls and access to Docker’s large customer base, a publisher can
-differentiate their content by certifying their images and plugins. With a
-revenue share agreement, Docker can be a channel for your content. The Docker
-Certified badge can also be listed alongside external references to your
-product.
+Docker Store promotes Docker Certified Containers and Plugins running on Docker
+Certified Infrastructure trusted and high quality content. With over 8B image
+pulls and access to Docker’s large customer base, a publisher can differentiate
+their content by certifying their images and plugins. With a revenue share
+agreement, Docker can be a channel for your content. The Docker Certified badge
+can also be listed alongside external references to your product.
 
 #### How is the Docker Certified Container image listed on Docker Store?
 
@@ -335,11 +385,11 @@ on Docker Store.
 All Docker Certified Container images and plugins running on Docker Certified
 Infrastructure come with SLA based support provided by the publisher and Docker.
 Normally, a customer contacts the publisher for container and application level
-issues. Likewise, a customer contacts Docker for Docker Edition support.
-In the case where a customer calls Docker (or vice versa) about an issue on the
-application, Docker advises the customer about the publisher support process
-and performs a handover directly to the publisher if required. TSAnet is
-required for exchange of support tickets between the publisher and Docker.
+issues. Likewise, a customer contacts Docker for Docker Edition support. In the
+case where a customer calls Docker (or vice versa) about an issue on the
+application, Docker advises the customer about the publisher support process and
+performs a handover directly to the publisher if required. TSAnet is required
+for exchange of support tickets between the publisher and Docker.
 
 #### How does a publisher apply to the Docker Certified program?